top of page

Fixes around the Apache log4j library

Updated: Dec 22, 2021


It affects Squash TM, Xsquash Cloud and Squash TF.



Squash TM


Concerning Squash TM, corrections are available for all maintained versions, they include the log4j update to version 2.17.


The corrective versions are the following:

These versions also fix the vulnerability for plugins, including the Squash AUTOM and Squash DEVOPS plugins.



This update is iso functional, so it is transparent to your users. If you are running version 1.21, 2.0 or 2.1, this correction only requires updating the application.


For version 1.22, if you have a version lower than 1.22.5, then an update of the database is also necessary. If you have version 1.22.5 or higher, then only the application update is required.


All versions of Squash are affected, but only the supported versions have the correction. Therefore, if you are using a version prior to 1.21, we invite you to upgrade to at least 1.21.7.



We strongly recommend that you upgrade as soon as possible.


This vulnerability does not impact Docker installations.



Xsquash Cloud


New versions of Xsquash Cloud for Jira Cloud are also available. If you have an Xsquash Cloud hosted at Henix, it has already been updated by us.

Xsquash plugins for Jira Server and Data Center are not impacted.



Squash TF


For Squash TF, here is the procedure to follow (to be done in the container in case of a Docker deployment):


1) Download the new libraries:


2) In the installation directory of the server/agent, go to the apache-maven-3.5.0/lib/ext directory.

You should have something similar to this :

To work around the vulnerability in the Apage log4j library, go to the apache-maven-3.5.0/lib/ext directory


3) Delete the 3 existing jar files and replace them with the downloaded ones.


The docker images of the TF agents are not impacted:

  • squash-tf-execution-agent.docker.2.3.1-RELEASE.tar

  • squash-tf-chrome-ui-execution-agent.docker.2.3.1-RELEASE.tar

  • squash-tf-firefox-ui-execution-agent.docker.2.3.1-RELEASE.tar


Squash Orchestrator


Squash Orchestrator, and OpenTestFactory that it includes, are not impacted.



Comments


bottom of page